Solved

Checkpoint and ISA design

Posted on 2010-08-20
2
446 Views
Last Modified: 2013-11-16
Hi,

I have a checkpoint firewall and ISA 2004 server and I want to implement a front end backend design.

I was think of putting CP External facing Internet and ISA as the backend,

ISA-------CP--------Internet

Any advice of on this ?
0
Comment
Question by:skywalker101
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 33487973
Either way works well here as the external firewall, however, I tend to prefer the CP FW on the perimeter and ISA on the inside.

Although ISA is a good firewall in itself, I prefer to use a purpose built firewall on the outside and use ISA on the inside.  You can utilise more of the perimeter protections on CP, like the IPS blade etc

Key things to take into account for traffic and rules is where you are doing NAT.  I would pick either CP or ISA to be the master NAT device as natting on each side does add to confusion when debugging any issues

HTH
0
 

Author Comment

by:skywalker101
ID: 33490657
Yea Checkpoint will be my master natting device as I find there is a lot more functionality with CP over iSA.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sbs2011 has been hacked. Foreign users in AD 7 173
Class Map is not matching traffic on Global Policy??? 2 55
Trojan blocked 11 117
Firewall blocking images 4 107
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question